IDOR in AI-Generated APIs: What Cursor Won't Check for You

TL;DR AI editors generate routes that fetch resources by ID with no ownership check -- classic IDOR (CWE-639) The pattern is everywhere in vibe-coded apps: any authenticated user can read any other user's data One extra condition in the DB query fixes it -- the problem is AI doesn't add it unless you ask I reviewed a side project last month. Node/Express backend, Cursor-generated, clean structure, well-commented. The developer was proud of their auth setup -- JWT tokens, bcrypt passwords, protected routes. Proper stuff. Logged in as user 847, I got back user 1's order. All of it.